I have questions regarding the incident management first and second stage which are 1) incident classification, and initial support, 2) incident investigation.
I need to know what's exactly the different between the initial support process which done by the service desk team, and investigation process that done by second level support team.
Why am asking this, is because am designing the use cases for incident management in details, and what I found that the task that done by the service desk team in initial support is repeated by the 2nd level support team.

Basically Salwa they both have the same Goal
To restore normal service operation as quickly as possible and minimize the adverse impact on business operations.

First, second & third line support staff
Although mentioned in the same sentence, these people differ a lot. First are the least respected people in IT, and the last, 3rd line are usually holly cows.

1st line support advisors are there to handle the simpler (but no less worthy) queries that come in and act as a filter / information gathering point for 2nd line support. Basically escalaiting the incident to higher engineers in the 2nd line support.

2nd line support take more complicated/ higher priority incidents that the 1st line couldnt restore as quickly as possible. Also 2nd line sends Rfc's to the change management.

I already know this info, but What i need to know, is what exactly the need for investigation & diagnoses phases. All what 2nd level support do is searching for matched Know error or workaround ,as the service desk do in intial support stage.

Fisrt line support will usually try to restore the service by applying available procedures (hence the importance of the known error concept which should basically result in a written procedure to restore the service)

Level 2 will try to restore the service by applying experimented operational knowledge

Level 3 will ... by using expert technical/architecture/conceptual knowledge...

1st line should not look for solutions beyond those documented in known errors lists and other procedures (also because they can't waste time on this while they have to be available to pick up next calls).